PW - How to Handle Getting Dumped: Compromised Passwords

all right welcome back everybody and good morning to you welcome back to bsize Las Vegas 2023 today we have uh how to handle getting dumped compromised passwords this is Suzanne pasy who will be presenting we'd like to first thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors semrep bluecat Plex trk and conductor 1 it's their support along with our other sponsors donors and volunteers that make this event possible as a reminder these talks are being streamed live and will will be recorded and made available to you after the conference so please take this moment to make sure that your phones are silent or completely off and also um because this is a little bit of a shorter talk I do ask that you all save your questions for the very end if we do have time I will come around with a microphone for you to ask them but please do not ask or raise your hand for questions in the middle of the talk save them for the very end with that I'll turn it over to Suzanne cool thank you so this is uh how to handle uh getting dumped uh I write some kind of clever titles and sometimes it's not always completely clear what it is I'm going to talk about so I'm going to set a few expectations here first of all don't take it personal sometimes it really is about them it's not about you um I I also mean this to be that I'm writing this more about organizational security uh the stuff about personal um taking it for uh your own use is just a little bit incidental I mean this mostly for organizational security and then I'm going to be not talking about um cookies or tokens I'm just focusing on on passwords primarily um in this talk and who am I and why should you listen to me um during my J day job I'm a threat Hunter and um incident Response Team investigator so I'm kind of looking at at this data quite a bit um during my nights and weekends I'm a hack coordinator uh in the North Carolina Raleigh Durham area for bsides RDU kakalaki con um dc911 9 very involved in the community um I call myself an expert in one room and I kind of say say expert in quotes um it's really just that I can um kind of Google the information faster than anybody else on the team and that kind of makes me the expert um and it's also only in that one room I like to come out into these larger rooms where maybe I'm not the expert anymore there's other experts um that I can learn from or teach other people to be the the experts where they're where they are and then when I'm not doing anything technically related um lately I've been doing um improved comedy um going out and just kind of playing doing like Who's Line do it anyway type jokes um with with a group of people so you'll see some kind of bad jokes pop up through this talk um and then like why why am I talking about about passwords I mean it's passwords con um but last year I did a a presentation about second Factor multiactor authentication the secrets and going threat hunting in there uh and finding interesting things in that and I decided to shift left a little bit and take it take a look at like hey what are the logs that are available for for password compromises and password dumps so um password dumps 101 um like how how do they get dumped in the first place there's utilities like MiMi cats and kiwi um gack dump cred dump password dump then there's also the the third party um breaches and password reuse sometimes you don't always know how that happens um or why that happens the other thing is um commodity malware that uh that area has um started to expand more and more and the the landscape keeps change changing with it so they're um the some of the ones I looked into were Redline Steeler Mystic Steeler vdar um meta stealer arum White Snake and then there's all sorts of other um malware as a service so what exactly is is being dumped what sort of information are we getting out of these um obviously uh credentials and passwords sometimes you get browser history and cookies they're able to get saved form data credit card data um IP addresses files and screenshots um in in some cases they'll they'll go after cold uh desktop cryptocurrency wallets and then associated with those sometimes are um multiactor codes associated with with some of those cryptography uh or cryptocurrency um wallets and stuff where they're they're kind of rolling their own MFA tokens as well and um some of these dumpers will grab that information um and you might be saying to yourself but but wait I'm I'm using Google Chrome and it it has a password manager I should be I should be safe right who's using Google Chrome for their password manager anybody okay so you probably know this there's a little bit more going on there um where on device encryption um you have to go in and click that option it's it's not turned on by default so the the passwords are encrypted while they're sent over the network and they're they're encrypted when when they're saved at Google but uh on device encryption um you know they they say over time the security measure will be set up for everyone so so it is an opt-in right now um so that's that that's something to keep in mind there all right so where can you get your passwords where can you get get them back from um there there's underground marketplaces uh there's telegram channels that that the malware operators have set up where they'll be dumping that information too um have I been pwned is starting to pick up uh some of those some of that information as well and making it available there's um initial access Brokers and then there's now vendors that are coming out and offering that as as a service um to to get that information for you to use so there's some good news um there are logs I I I love looking at logs all sorts of logs um they they tell me things uh and and some of the logs that are coming out of some of these malware well malware um Steelers are are actually pretty good like like they're better than some um SAS like Fortune 500 company logs um where where maybe those companies have decided to OBS secate things um the malware logs are actually really good so when you Del in and you look at them um it it gives you quite a bit of of uh good information it's kind of rivaling like endpoint detection um almost when it the amount of information that it's giving you so you could take a look at the user data and it gives you a good follow-up Point like if it was one of your users um that you find in one of these dumps you know who to go to and and who to um like remediate and that helps you with like focused education and uh you can also get some information about the IP location maybe they they were using a device or logging in from somewhere they shouldn't have been um when they happened to get dumped so you can check that out then there's also things like the the device data and particularly for here there's um you can pay attention to the asset taking a look if it's a corporate asset um you know did did something that your company owns get compromised and then you can go back and and remediate it um and look if there were any sort of um other things that that went along in that incident or if it was a personal device do you have that range do you have that scope um to do anything with it uh this can also be surprise sock assessment so you know did your endpoint detection even fire did it recognize that this was malware um if it did recognize it was the alert fired to your sock correctly and then if it did get there did did the analysts handle it correctly um did they take a look and did they remediate it properly did they say oh this was a malware infection we we cleaned it up closed ticket um completely ignoring that it was a credential stealer and not doing anything for for the credential piece and that could be the case because you're now reading the the passwords in a malware dump so uh this can also be you know if if your endpoint didn't detect it you could have potentially new malware here that that you can go in and and take a look at um and then you can also get potentially new um ioc's and then another thing here you know if if you don't like the logs um or or you think they're lacking some information it turns out that um Mystic Steeler that that was released in April this year they they put it on prominent underground forums and they had well-known veterans on that Forum go through and and give valuable feedback and information you know so if you want to see enhancement to these logs you know maybe go out on those forums and you think they have J submit a request um so so some of the bad news um with with more money there's there is more problems so the attackers are making money off these dumps um to the tune of some of these paid telegram channels can be between $300 and $900 a month uh for you to access some of the password dumps uh initial access Brokers uh are also selling this information bids can start at $1,000 and buy now for $10,000 get a big pack of passwords and uh go use that and then uh vendor licensing plans the vendors that are going out and uh finding this information for you and kind of bundling it all to together um one of the other bad things uh is is usability um you are getting data for malware um you know does your zero trust plan include trusting malware dumps um you know you there could also be misconfigurations misconfigurations in the malware misconfigurations on the endpoint uh when it says those time stamps are in UTC do you trust them uh when you go back and look through your logs you know how much further back do you go look through um also because these logs are money are they just dumping gibberish data just to sell it and it's not even valid data and then the other thing is sometimes you'll you'll see hashes instead of plain text passwords so you have to go out and dump yourself um in order to compare those hashes um then of course there's legal and policy questions so ransomware versus passwords you know will will your company pay you know um malicious people a ransomware and if you're not willing to pay for ransomware are you willing to pay for passwords or um there's also you know is your company or are you willing to go directly to the source or are you going to use a a broker or vendor to kind of obate um that that you're out in that space and then of course there there's personal versus Corporate what happens when you do get one of your employees but it is a personal uh device uh and maybe a personal website that they were logging into but they were using like your Corporate email address and and how are you going to handle those things and and communicate that so turning all of this data into action um you're going to want injust from if you choose you get through legal and everything and you are able to ingest the data um you probably want to get that from a couple of different sources maybe test out of different sources different vendors um different places where where you're able to to get that from and then um the first thing you want to do is validate that those usernames are legitimate they aren't just making up data uh that's completely false um and then once you're once you've done that you want to validate the the passwords the hash or the the plain text um to see how much of a big deal it of it it is um doing that initial triage to see how quickly you need to get on it and respond to it uh you also want to check those host details again talking about um the uh the the corporate asset versus the personal asset and what you're able to do and um and focus on there and then uh checking the IP details um you know were they logging in from somewhere they they shouldn't have been um or using different assets and then the next piece is planning the response um you know how are you going to secure the user account how are you gonna if the password is known if it is fully compromised locking that user out of the system um and then getting them to secure their password you know making them call into it um however you need to plan that to to secure the account and then securing the the device are you sure that the malware is off the device if they reset their password and it's still infected you're going to have to go through and secure the account again rescure the device again and all that and then you also want to plan the the communications if you're going to be taking a user offline um you want to have a good like FAQ for them and for their manager explain why you're taking it offline explain why they're having to go through and and remediate their laptop um or whatever device um if it's not a corporate asset how are you going to communicate to the user like hey you have malware on your personal device or or however you're able to communicate that and then um in the event that you know you do see that the password um was correct you want to go through and you want to First go through your authentication logs and see you know is there an incident was the was it used from a unusual location from where that user usually logs in from um and then also take a look at the the second Factor the multiactor logs and this is where I plug my my talk from last year again where um I talk about going threat hunting in those in those multiactor logs if you do see the first factor used um go follow up on the second Factor uh and then a couple of different ways to do mitigation um discourage the the stored uh storing passwords in the browser like Google Chrome other browsers that's kind of weak um encourage good password managers so some of the well-known um other brands especially if you can uh provide that to your employees in such a way that they can then share it so some uh password manager companies also offer like home licenses so if they're able to use that at home and encourage that kind of culture there they they they're more likely to use it um in the office so that that's kind of also where I encourage like a work life balance like are you um allowing your employees to even use their personal devices to to log in and use their credentials from there um are you encouraging them to log in from you know log in on the weekends log in on on nights where they're maybe using a less secure device and what are you even allowing in on your network and then using the corporate assets of course making sure that your your endpoint is up to date and you're using some defense and depth and then sock analyst training they making sure that they know that they if they see malware to follow up and see if it's a credential stealer um and then securing the accounts and things like that and then of course you use multiactor authentication use strong mult multiactor authentication and get the logs look at the logs um logs are awesome just always read the logs um and that's that's it I I get nervous and I talk fast and I think I'm way under time um so so I'm just going to say say thanks to the the bides Las Vegas um for for having me here um my RTP Community I kind of talked to them about some of these things co-workers employees um the the researchers out there I I pulled from a lot of um other sources and vendors and then I guess my last like bad joke here is it's only credential intelligence if it's from the business floor region of black hat otherwise it's just sparkling malware logs all right and at this point I'll I'll take some questions yeah how do you imagine this process starts does it like Cy fors off a of like passw ising off this person should okay so so the the question was about how do you start looking at the dumps um I think in most cases you're going out like proactively and looking for those dumps getting them that way but like if you do do see a spike in like password sprays or something that that might encourage you to go look at those dumps more quickly um so yeah I think that You' be more proactive with it yes is past been still a thing with dumps yeah I think it is yeah El abity to and say they were out okay so so the question was about admins and and VIPs uh when you say admins do you mean like um admin like assist admins or do you mean like an an executive like an admin assistant to the to the VIP okay so it was about issuing um okay so so it's about authenticators and um software or or like hard tokens for to to augment the passwords for MFA yeah um UB keys are are really good in the in the secrets of the second Factor talk that that one's all about like the phone numbers and like the push authentication and how like weird that can get um yeah I would encourage the the UB keys I have a mic um mine is more about working with the the vendor lists that they come out with you know you're paying the vendor and they're providing you with hey your people in your organization are seeing and they're all compromised and they're mostly useless because they're old accounts that don't even exist anymore more but they just have your domain name on them or we're changing passwords every 90 days and that breach was 120 days ago is there a better source that you found uh at this point I haven't found a better source and I I know what you mean and like the the first week that we looked it's like hey here's your 780 hits and we narrowed it down to like six that were actually still valid and and valid like passwords um and then going out and actually actioning them but to you know how valuable those six to you even if you did have like the 700 or whatever that that were gibberish so yeah so in your experience or opinion how difficult do you think it is to get legal to understand the need for this kind of process uh require password dumps Etc in in in my particular case I I think the conversations were having a little were had a little bit above me but like definitely getting like data sheetss like your vendor is going to help you if you choose to go the vendor route um and everything and just probably probably being clear with that um with legal is best and that I think there are two questions up front here yeah we only have time for for two more so okay that be the last two uh which password manager managers do you like and which don't you like uh the question is about which password managers do I like and which ones don't I like um my my family uses one password um my my brother bought a license years and years ago and family plan so my whole family's on it so um I have like a a 65-year-old Uncle and he's like oh this is cool I can use a password manager and now like he's encouraging all his friends and stuff to use it so kind of developing that that that culture so then it was like really easy um when like workplace comes out or whatever and says hey use this password manager um to to roll into that um that's a good one for the longest time I used um key pass personally so um I think if if you went to the Diana initiative I think one password even gave like a discount code so in in your research have you seen any companies that have been looking to try to solve the problem versus just Dem monetize the pro problem for their own personal game yeah the the question is about solving the problem versus monetizing the problem solving the problem of of of malware like go uh I I didn't come across that no that was an inside joke that was an inside joke we were friends and we were talking about this um the uh we see these major large corporations buy these passwords for pretty cheap and then sell them to companies for way way much more money uh all right that is unfortunately all the time we have for I'm I'm sure Susan will be available up there for questions if you do have any um we do have a break now until the afternoon sessions but thanks again so much for coming out and please give one more hand for [Applause] Susan